[PATCH wireless-next] wifi: cfg80211/mac80211: remove wrong scan request n_channels

Johannes Berg <johannes@xxxxxxxxxxxxxxxx> · Mon, 14 Jul 2025 14:24:05 +0200

From: Johannes Berg <johannes.berg@xxxxxxxxx>

This (partially) reverts commits
 - 838c7b8f1f27 ("wifi: nl80211: Avoid address calculations via out of bounds array indexing")
 - f1d3334d604c ("wifi: cfg80211: sme: init n_channels before channels[] access")
 - 82bbe02b2500 ("wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request")

These commits all set the structure to be in an inconsistent
state, setting n_channels to some value before them actually
being filled in. That's fine for what the code does now, but
with the removal of __counted_by() it's no longer needed and
it does leave a bit of a landmine there since breaking out of
some code to send the scan or something would leave it wrong.

Remove the now superfluous n_channels settings.

Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
---
 net/mac80211/main.c    | 1 -
 net/wireless/nl80211.c | 1 -
 net/wireless/sme.c     | 1 -
 3 files changed, 3 deletions(-)

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 6b6de43d9420..2a7587955127 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1359,7 +1359,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 				      GFP_KERNEL);
 	if (!local->int_scan_req)
 		return -ENOMEM;
-	local->int_scan_req->n_channels = channels;
 
 	eth_broadcast_addr(local->int_scan_req->bssid);
 
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 50202d170f3a..f45293b2a0a2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9439,7 +9439,6 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
 	request = kzalloc(size, GFP_KERNEL);
 	if (!request)
 		return -ENOMEM;
-	request->n_channels = n_channels;
 
 	if (n_ssids)
 		request->ssids = (void *)request + ssids_offset;
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index cf998500a965..7a734c8085af 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -83,7 +83,6 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
 	if (!request)
 		return -ENOMEM;
 
-	request->n_channels = n_channels;
 	if (wdev->conn->params.channel) {
 		enum nl80211_band band = wdev->conn->params.channel->band;
 		struct ieee80211_supported_band *sband =
-- 
2.50.1








